Practical Product Composition Approach for an Embedded Cryptographic Component (E22c)
With the imminent publication of the Dedicated Security Component (DSC) collaborative Protection Profile (cPP), cryptographic capabilities that are currently specified in other Protection Profiles (PPs) (such as NIAP’s Mobile Device Fundamentals PP) could soon be satisfied by a DSC component. In order to avoid duplicating evaluation effort, promote re-use of DSC evaluation results, and allow flexibility in dependent-technology implementations, an approach is needed so that embedded components (such as the DSC) can be evaluated once, and have the evaluation results available for use in dependent component (e.g., a mobile device) evaluations. This talk will address the theoretical basis and practical mechanics of specifying and evaluating such a composite TOE in a non-EAL, protection profile-based evaluation under the US Scheme. Key aspects of the approach-such as the ability to specify which component implements a given cryptographic function, production of evaluation results to be re-used, and necessary structures in the PPs-will be covered. While the talk will specifically cover the Mobile Device use case, in the future, NIAP envisions this approach being used for many other technologies, such as operating systems, certificate authorities, application software, and general-purpose computing platforms.